Hi guys!
I have the below query for a Single Value Dashboard Panel. It is counting the daily total error duration of the system.
My problem with this is, when there is no error, it displays "No Results Found" instead of "00:00:00" or "0".
How can I fix this?
| stats sum(DURATION) AS "DURATION"
| eval secs=DURATION%60,mins=floor((DURATION/60)%60),hrs=floor((DURATION/3600)%60)
| eval HOURS=if(len(hrs)=1,"0".tostring(hrs), tostring(hrs)),MINUTES=if(len(mins)=1,"0".tostring(mins), tostring(mins)),SECONDS=if(len(secs)=1,"0".tostring(secs), tostring(secs))
| eval Time=HOURS.":".MINUTES.":".SECONDS
| fields + Time
Try this:
| append [|makeresults | eval DURATION=0]
| stats sum(DURATION) AS DURATION
| eval secs=DURATION%60,mins=floor((DURATION/60)%60),hrs=floor((DURATION/3600)%60)
| eval HOURS=if(len(hrs)=1,"0".tostring(hrs), tostring(hrs)),MINUTES=if(len(mins)=1,"0".tostring(mins), tostring(mins)),SECONDS=if(len(secs)=1,"0".tostring(secs), tostring(secs))
| eval Time=HOURS.":".MINUTES.":".SECONDS
| fields + Time
The append
line adds a dummy event, so that there is always at least one event.
Edit: actually, I think this may be more reasonable:
| stats count, sum(DURATION) AS DURATION
| fillnull value=0 DURATION
| eval secs=DURATION%60,mins=floor((DURATION/60)%60),hrs=floor((DURATION/3600)%60)
| eval HOURS=if(len(hrs)=1,"0".tostring(hrs), tostring(hrs)),MINUTES=if(len(mins)=1,"0".tostring(mins), tostring(mins)),SECONDS=if(len(secs)=1,"0".tostring(secs), tostring(secs))
| eval Time=HOURS.":".MINUTES.":".SECONDS
| fields + Time
Thanks for sharing... just used this fillnull function. Perfect!
Try this:
| append [|makeresults | eval DURATION=0]
| stats sum(DURATION) AS DURATION
| eval secs=DURATION%60,mins=floor((DURATION/60)%60),hrs=floor((DURATION/3600)%60)
| eval HOURS=if(len(hrs)=1,"0".tostring(hrs), tostring(hrs)),MINUTES=if(len(mins)=1,"0".tostring(mins), tostring(mins)),SECONDS=if(len(secs)=1,"0".tostring(secs), tostring(secs))
| eval Time=HOURS.":".MINUTES.":".SECONDS
| fields + Time
The append
line adds a dummy event, so that there is always at least one event.
Edit: actually, I think this may be more reasonable:
| stats count, sum(DURATION) AS DURATION
| fillnull value=0 DURATION
| eval secs=DURATION%60,mins=floor((DURATION/60)%60),hrs=floor((DURATION/3600)%60)
| eval HOURS=if(len(hrs)=1,"0".tostring(hrs), tostring(hrs)),MINUTES=if(len(mins)=1,"0".tostring(mins), tostring(mins)),SECONDS=if(len(secs)=1,"0".tostring(secs), tostring(secs))
| eval Time=HOURS.":".MINUTES.":".SECONDS
| fields + Time
@micahkemp, thanks for your reply! It is still showing "No Results Found" on the Dashboard.
Edited my answer. My initial search caused there to always be events, but DURATION was absent, which is why my search worked when testing but not for you. I've updated it to work even when no events are present.
It worked!
Thanks a lot @micahkemp!